Installation
The trojans in this family are usually installed on your PC by software bundlers that advertise free software or games, such as the following:
We have seen the trojans use the file name Laban.exe, installed in the %APPDATA% folder.
We have also seen the trojans use the file name eGdpSvc.exe, and install it to:
They also create the following registry entries as part of their installation routine:
In subkey: HKLM\SOFTWARE\eSafeSecControl
Sets value: "sid"
With data: "eGdp"
Sets value: "pid"
With data: "eSafe"
Sets value: "ptid"
With data: "imm"
Sets value: "channel"
With data: "<channel string>" where <channel string> can be "eShengJi", "newdl", or "Gdp"
Sets value: "ver"
With data: "<version number>" where <version number> is a series of numbers in the format "XX.X.X.XXXX", for example, 10.2.1.2612
When installed, some of the variants from this malware family, such as Trojan:Win32/Wysotot.C, add themselves as a service with either of the following names:
- Wsys Service
- DProtect Service
These variants register the service by making changes to the registry:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\WsysSvc
Sets value: "Type"
With data: "0x00000010"
Sets value: "Start"
With data: "0x00000002"
Sets value: "ErrorControl"
With data: "0x00000001"
Sets value: "ImagePath"
With data: "<location of the trojan>"
Sets value: "DisplayName"
With data: "<name of the service>"
Sets value: "Description"
With data: "<description of the service>"
Sets value: "Group"
With data: "SchedulerGroup"
Sets value: "ObjectName"
With data: "LocalSystem"
Payload
Modifying browser shortcut files
The trojans check if you click on any of the shortcuts for these browsers:
- Chrome
- Firefox
- Internet Explorer
- Opera
When you open your browser, the trojan will redirect you to a webpage that is not your standard homepage, such as:
- 22apple.com
- 22find.com
- delta-homes.com
- laban.vn
- portaldosites.com
- qvo6.com
- v9.com
The malware redirects you by changing what your browser shortcut points to. For example, a shortcut file to:
C:\Program Files\Internet Explorer\iexplore.exe
Will be changed to:
C:\Program Files\Internet Explorer\iexplore.exe hxxp://en.v9.com/?utm_source=b&utm_medium=eBP&utm_campaign=eBP&utm_content=sc&from=eBP&uid=<some text>&ts=<some timestamp>
Changes browser settings
The malware family also modifies the following registry keys to redirect the start menu entry for Internet Explorer:
In subkey: HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Sets value: "(DEFAULT)"
With data: "C:\Program Files\Internet Explorer\iexplore.exe" <one of the above-mentioned remote site>"
They also modify the following registry keys to change the Internet Explorer start page:
In subkey: HCKU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "<name of remote site>"
Sets value: "Default_Page_URL"
With data: "<name of remote site>"
Example of a remote site:
hxxp://en.v9.com/?utm_source=b&utm_medium=<some tag>&utm_campaign=<some tag>&utm_content=sc&from=<some tag>&uid=<some texts>&ts=<some timestamp>
Download and installs other files
Win32/Wysotot connects to the following remote sites to download and install updates and other files:
Creates an uninstaller
Some variants can also create an uninstall option.
They do that by making the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WsysControl
Sets value: "DisplayName"
With data: "Wsys Control <version>"
Sets value: "DisplayVersion"
With data: "<version>"
Sets value: "Publisher"
With data: "Wsys Co., Ltd."
Sets value: "UninstallString"
With data: "<location of the trojan> <uninstall parameter>"
Sets value: "DisplayIcon"
With data: "<location of the trojan>"
We have seen trojans use the following names for the uninstaller:
- DProtect Control <version number>
- eSafe Security Control <version number>
- Laban version <version number>
The uninstallation entry can be seen in the Control Panel. Running this uninstaller might remove the malware from your PC. The uninstaller might look similar to the following:
Bypasses firewall
Some Win32/Wysotot variants attempt to bypass the system's firewall by adding the trojan's path and file name to the registry:
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
We have seen it use the following CLSIDs in the registry entry:
{C83CBC6C-10E4-4294-8EB4-D3B4E39D14E0}
{6362668F-63A9-4417-852B-B96799BEDE22}
Analysis by Geoff McDonald